10.6 eDiscovery, Audit, and Insider Risk Management
Key Takeaways
- eDiscovery, audit, and insider risk management are Microsoft Purview compliance topics in the SC-900 outline.
- eDiscovery aligns to discovery and investigation scenarios involving content.
- Audit aligns to scenarios about reviewing activity records.
- Insider risk management aligns to scenarios about risk from activity inside the organization.
Investigation and Risk Capabilities
The SC-900 outline includes eDiscovery, Audit, and Insider risk management in Microsoft compliance solutions. These topics sit near classification, labels, DLP, and retention, but they answer different scenario verbs. eDiscovery is about discovery needs involving content. Audit is about reviewing activity records. Insider risk management is about identifying and managing risk related to activity from inside the organization.
These capabilities are easy to confuse with security operations tools. Microsoft Sentinel is used for SIEM and SOAR scenarios such as analytics, incidents, hunting, workbooks, and playbooks. Microsoft Defender products are used for protection, posture, threat intelligence, endpoint, app, identity, and workload security scenarios. Purview eDiscovery, audit, and insider risk management belong to compliance and data governance scenarios.
| Capability | Main scenario | Best clue |
|---|---|---|
| eDiscovery | Discovery or investigation involving content | Find, collect, review, discovery |
| Audit | Review activity records | Audit, activity record, who did what |
| Insider risk management | Address risk from activity inside the organization | Insider risk, risky activity, internal activity |
| Data loss prevention | Prevent sensitive data exposure | Block, prevent, reduce risky sharing |
A question about eDiscovery may mention legal, investigation, discovery, or review needs. A question about audit may focus on finding activity history or understanding actions taken in the environment. A question about insider risk management may describe concern about risky internal activity. The exact wording matters more than the department name in the scenario.
Do not choose eDiscovery just because a question mentions data. If the organization wants to classify data, choose classification. If it wants to mark data as confidential, choose sensitivity labels. If it wants to keep records, choose retention. If it wants to find and review content for a discovery need, choose eDiscovery. If it wants to inspect activity records, choose audit.
Use this final Purview decision list:
- Discovery of content for a legal or investigation need: eDiscovery.
- Activity record review: Audit.
- Risk related to internal activity: Insider risk management.
- Prevention of sensitive data sharing: DLP.
- Lifecycle and records governance: retention or records management.
- Sensitivity classification or protection: sensitivity labels.
This chapter completes the compliance solution map for SC-900. Microsoft Purview is broad, so the exam often tests whether you can choose the specific Purview capability instead of the broad family name. The safest approach is to match the verb: classify, explore, label, prevent, retain, discover, audit, or manage insider risk.
These three topics also show why Microsoft Purview is not limited to prevention. Some Purview capabilities help govern data before a problem occurs, while others support investigation, review, and risk management after activity has happened.
A legal team needs to find and review content for a discovery need. Which Microsoft Purview capability best fits?
A compliance investigator needs to review activity records. Which Microsoft Purview topic is the best match?
Which scenario best matches insider risk management?